Bug 1340065 (CVE-2016-5097, CVE-2016-5098, CVE-2016-5099) - CVE-2016-5097 CVE-2016-5098 CVE-2016-5099 phpMyAdmin: Multiple issues fixed in 4.6.2 and 4.4.15.6 (PMASA-2016-16,PMASA-2016-15,PMASA-2016-14)
Summary: CVE-2016-5097 CVE-2016-5098 CVE-2016-5099 phpMyAdmin: Multiple issues fixed i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5097, CVE-2016-5098, CVE-2016-5099
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1340066 1340068 1340069 1340070
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-26 12:04 UTC by Adam Mariš
Modified: 2021-02-17 03:49 UTC (History)
10 users (show)

Fixed In Version: phpMyAdmin 4.6.2, phpMyAdmin 4.4.15.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-28 14:35:30 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-05-26 12:04:02 UTC
Multiple issues were fixed in phpMyAdmin:

----------------------

1. Cross-site scripting vulnerability (PMASA-2016-16):

A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.

Affects versions 4.4.x (prior to 4.4.15.6) and 4.6.x (prior to 4.6.2).

Upstream patches:

4.6 branch: https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780

4.4 branch: https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780

----------------------

2. File Traversal Protection Bypass on Error Reporting (PMASA-2016-15):

A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the size of that file.

The attacker must be able to intercept and modify the user's POST data and must be able to trigger a JavaScript error to the user.

This attack can be mitigated in affected installations by setting `$cfg['Servers'][$i]['SendErrorReports'] = 'never';`. Upgrading to a more recent development commit is suggested.

Only git 'master' development branch was affected. No released version was vulnerable.

Upstream patch:

https://github.com/phpmyadmin/phpmyadmin/commit/d2dc9481d2af25b035778c67eaf0bfd2d2c59dd8

----------------------

3. Sensitive Data in URL GET Query Parameters (PMASA-2016-14):

Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs.

As mitigation, avoid clicking on external links in phpMyAdmin which are not redirected through url.php script.

Affects versions prior to 4.6.2.

Upstream patches:

https://github.com/phpmyadmin/phpmyadmin/commit/11eb574242d2526107366d367ab5585fbe29578f
https://github.com/phpmyadmin/phpmyadmin/commit/5fc8020c5ba9cd2e38beb5dfe013faf2103cdf0f
https://github.com/phpmyadmin/phpmyadmin/commit/8326aaebe54083d9726e153abdd303a141fe5ad3
https://github.com/phpmyadmin/phpmyadmin/commit/59e56bd63a5e023b797d82eb272cd074e3b4bfd1

External References:

https://www.phpmyadmin.net/security/PMASA-2016-16/
https://www.phpmyadmin.net/security/PMASA-2016-15/
https://www.phpmyadmin.net/security/PMASA-2016-14/

Comment 2 Adam Mariš 2016-05-26 12:05:07 UTC
Created phpMyAdmin tracking bugs for this issue:

Affects: fedora-all [bug 1340066]
Affects: epel-all [bug 1340068]

Comment 3 Adam Mariš 2016-05-26 12:05:14 UTC
Created phpMyAdmin4 tracking bugs for this issue:

Affects: epel-5 [bug 1340069]

Comment 4 Robert Scheck 2016-05-29 19:06:09 UTC
From what I get, upstream does not plan to address the flaw for phpMyAdmin
4.0.10.x series even it is affected:

 - https://twitter.com/phpmya/status/736096283606142976
 - https://twitter.com/phpmya/status/736096512556421122

Is somebody able to help here? Backporting the commits doesn't seem to be
trivial as upstream already stated.

Comment 5 Andrej Nemec 2016-05-30 06:58:39 UTC
CVEs were assigned to these issues.

PMASA-2016-16: CVE-2016-5099
PMASA-2016-15: CVE-2016-5098
PMASA-2016-14: CVE-2016-5097

Comment 6 Robert Scheck 2016-06-04 22:25:50 UTC
Upstream meanwhile backported fixes to 4.0.10.x series.

Comment 7 Fedora Update System 2016-06-21 20:47:20 UTC
phpMyAdmin4-4.0.10.15-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-06-21 21:47:49 UTC
phpMyAdmin-4.0.10.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.